This blog post presents my solution to exercise 1 on page 123 from the book Practical Reverse Engineering by Bruce Dang, Alexandre Gazet and Elias Bachaalany (ISBN: 1118787315). The book is my first contact with reverse engineering, so take my statements with a grain of salt. All code snippets are on GitHub. For an overview of my solutions consult this progress page.

All four kernel variables ExpSystemResourcesList, ExNPagedLookasideListHead, ExpFirmwareTableProviderListHead and ExpSystemResourcesList are indeed of type _LIST_ENTRY which can be easily verified with the kernel debugger:

The register rcx points to a _KTHREAD structure. At offset 8 we find the WaitListHead inside the Header structure. The second instance follows right after that and initializes MutantListHead at offset 308h of _KTHREAD:

Rdi holds the same address as rcx and therefore also points to the _KTHREAD structure. At offset 98h of the thread structure is member ApcState, and at offset and 8 into ApcState we have indeed a Flink and Blink pointers. The fourth and last InitializeListHead usage follows right after the previous one: